Hide Navigation Hide TOC

SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)

SPAWNSNAIL is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.

SPAWNSNAIL's second purpose is to inject SPAWNSLOTH into dslogserver, a process supporting event logging on Connect Secure.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	1
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	1
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	2
BRICKSTORM (64a0e3ab-e201-4fdc-9836-85365dfa84bb)	Backdoor	UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	3
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	ROOTROT (69d0512d-c12a-4e17-a335-deba012a8499)	Tool	3